Secret Agent

Continuously Randomizes your SeaMonkey/Ice Weasel/Pale Moon/Firefox HTTP User Agent, to Suppress Device Fingerprinting, and Resist Web Tracking. Also Prevents eTag Tracking.

   Click to Install Secret Agent   

Firefox Users; See Notes on Firefox Addon Signing

Latest version 1.35  (released 2016-12-22, Release Notes).

Please follow the installation instructions below carefully. Protect your right to communication privacy, security, and integrity. Stop Phorm.

MD5 Checksum: 9e1128e537b4ebfc2d22c7c86fb832cb
SHA1 Checksum: 454b3c3c88a309af67c6988feece15e78bf94040


 Jeg ville være taknemmelig, hvis du kan hjælpe mig med at forbedre oversættelsen til dansk
 in Deutsch übersetzt (dank Anton, und Frank)
 traduit en français (merci à Lambic )

Please contact me if you would be willing to contribute a translation, or improve an existing translation.

What Secret Agent Does...

With every web request (or page load, or browser session), Secret Agent does the following things;

  • Compares the web site host to a white list
  • If the host isn't on the white list,
    • Request Headers;
      • Overrides your browser's 'User Agent' with a random alternative selected from a customizable list
      • Overrides your browser's 'Accept' header with a random alternative selected from a customizable list
    • Javascript;
      • Overrides your brower's Javascript navigator.oscpu value using a random alternative selected from a customizable list
    • Proxy Headers;
      • Sets an HTTP X-Forwarded-For header with a random IP address
      • Sets an HTTP Via header with a random IP address
    • Cache Headers;
      • Sets a spoof ETag header with a random string of characters
      • If the optional 'If-Modified-Since' spoofing feature is enabled, overrides incoming 'Last-Modified' headers with a random time offset
    • Hijack Detection;
      • Displays a warning message if an HTTP request is redirected to another server (possibly indicating surveillance)
      • If the optional override feature is enabled, hijacked redirections are replaced with a customisable tell-tale image URL
  • If the host is on the white list
    • Request Headers;
      • Presents your browser's default 'User Agent' (or overrides with a user configurable value)
      • Presents your browser's default 'Accept' header (or overrides with a user configurable value)
    • Javascript;
      • Presents your browser's default Javascript navigator.oscpu value (or overrides with a user configurable value)
    • Proxy Headers;
      • Unaffected
    • Cache Headers;
      • Unaffected
    • Hijack Detection;
      • If optional hijack detection is enabled, handling as for stealth mode

About Secret Agent

The Secret Agent Add On is another counter surveillance tool, from the same developers as Dephormation.

Secret Agent enhances the privacy of your web surfing, by rotating your browser's 'User Agent' identity with every web request (or every page load, or every browser session)... rather like the plates on Bond's famous DB5.

Randomizing your User Agent makes it a little harder for crooks, rogue ISPs, spies like Phorm, corrupt Governments, and other nasty surveillance/tracking threats to correlate your clicks on the basis of 'device fingerprinting'.

Secret Agent can also

  1. randomise the 'Accept' header presented by your browser... further concealing the type of browser in use
  2. generate spoof HTTP proxy headers ('X-Forwarded-For' and 'Via') ...  making your connection appear to originate from a random IP address, connecting via a chain of proxies.
  3. generate spoof ETags headers ('If-None-Match') with random values, preventing ETags being misused for tracking (but potentially preventing caching on untrusted sites).
  4. optionally, override incoming 'Last-Modified' headers to add a random time offset, preventing outgoing 'If-Modified-Since' headers being misused for tracking
  5. randomise your browser's Javascript navigator.oscpu value, making client side 'device fingerprinting' less effective.
  6. warn when HTTP requests are redirected to another server.

According to the EFF's Primer on Information Theory and Privacy;

    "It turns out that, in addition to the commonly discussed "identifying" characteristics of web browsers, like IP addresses and tracking cookies, there are more subtle differences between browsers that can be used to tell them apart.

    One significant example is the User-Agent string, which contains the name, operating system and precise version number of the browser, and which is sent every web server you visit."

You can test your browser on the Panopticlick site. To see the headers sent by your browser, try the HTTP header viewer at You can also test the add on against the site. If you want to see the effect on tracking by eTags, try enabling 'stealth mode' while viewing the Cookieless tracking demo on

Surveillance systems like Quantum Cookie/ FoxAcid/ Phorm use a "man in the middle" attack to hijack HTTP requests, and redirect your browser to third party controlled web servers. Secret Agent's hijack detection feature can warn you when such events occur, and override hostile requests with a tell-tale URL.

For best results, please read the instructions below in full before you use this add on. Secret Agent, used in combination with cookie blocking, script blocking, and anonymity networks like Tor, is likely to be particularly effective at preventing anyone tracking your web surfing.


Secret Agent allows you to switch between 'stealth' and 'default' mode with a single click. Click on the Secret Agent toolbar button or add-on bar icon to toggle between 'stealth' and 'default' mode;

Image showing the toggle between stealth and default

You can choose to change your browser headers once per request, once per page load, or once per browser session;

Image showing secret agent entropy levels

Secret Agent randomises your browser 'User Agent' headers by picking a value from a list. You don't have to use the standard User Agent list. In fact, I'd encourage you to customise the list, to better match (or hide) the general characteristics of the device you use. I normally replace the standard list with 2,000+ desktop user agents.

Alternatively a simple block of nonsense paragraphs works well... For example, you could use a block of text from Project Gutenberg or a list of Bond Films. Web sites will usually default to a fail-safe 'standards compliant' version of their content when they don't recognise your browser's User Agent headers. More commonly, web sites ignore your User Agent completely.

On whitelisted sites, you can choose to present the browser's default User Agent, or configure a User Agent override.

Tip; start with a small list of user agents, and build on it once you understand the effect that randomising your user agent has on your net surfing. For greater stability/ease of use, closely match the list of user agents to your real browser. If you want to conceal the type of browser you use, try a broader range of obscure user agents instead.

Image showing secret agent user agent list

The same method is used to randomise your browser 'Accept' headers.

Image showing Secret Agent accept headers

And likewise a list of Javascript navigator.oscpu strings can be configured (not shown in pictures above).

The ETag spoofing feature adds a random 'If-None-Match' header value to outgoing requests, making it impossible for sites to use ETags to track your net surfing. Note that spoofing ETags may impair caching on untrusted sites (but in general has very little impact on browser performance).

Optionally, incoming 'Last-Modified' headers can also be changed, adding a random time offset (max +0hrs/min -24hrs) to prevent 'If-Modified-Since' headers in outgoing requests being used for tracking. Again, this may impair caching on untrusted sites.

Random HTTP proxy headers ('X-Forwarded-For' and 'Via') are also added to every outgoing request, making the actual source of your web requests more difficult to determine.

An easy to use host whitelist feature allows you to specify the trusted web sites that will receive the real User Agent and no spoofed headers;

Image showing Secret Agent whitelist

You can also specify whitelisted host names using wildcards. The '*' wildcard matches any character string, and '?' matches any single character (eg, * or www.s?cr?t?g?

A dynamic context menu item gives you convenient methods to add/remove sites from your whitelist.

The hijack detection feature of Secret Agent alerts you to attempts to redirect your browser to third party controlled web servers, and allows you to override them with a tell-tale URL.

Example default tell-tale image:

Secret Agent also offers a gratuitous  button.

If you're considering installing the Secret Agent Add On, and concerned about online tracking, you might also like to consider the Dephormation Add On which is also available from this site.

Secret Agent is tested on SeaMonkey 2.35 on Windows 8, Pale Moon 25.7 on Windows 8, Firefox 1.5 to 42.0 on Windows XP/7/8,  IceWeasel 3.0 to 10 on Debian Linux, Firefox 3.6 on Fedora, . Will install into SeaMonkey 2.x , Pale Moon 1.5 - 26.x, Firefox 1.5 - 42.x on any platform. Also works under Vista, Windows 7, Windows 8, Linux, Mac, and all other popular operating systems supported by  SeaMonkey, Pale Moon, Ice Weasel, and Firefox. Secret Agent is compatible with other popular add ons like AdBlock Plus, NoScript, RequestPolicy, Self-Destructing Cookies, HTTPS Everywhere, Better Privacy, TrackMeNot, RefControl.  And Dephormation.

New, Privacy Settings Tab

An experimental new feature, the Privacy Settings Tab, gives you access to many difficult to find, or even concealed. privacy affecting profile settings (nb, in English only at the time of writing).

This feature will be translated & extended.

Installation Instructions

You should not rely on any browser extension to protect your privacy, security, and data integrity. You need to find a Phorm free ISP.

Note that Firefox 2 and earlier are vulnerable to 'man in the middle' attacks when installing browser extensions. You should upgrade your browser if possible first.

To install Secret Agent either;

    1) Click here, and allow installation when prompted by your browser.
    2) Restart your browser. A message is displayed as the browser starts, confirming that Secret Agent is active.


    1) Save the SecretAgent.xpi (right click, save link as... SecretAgent.xpi) to your hard disk.
    2) Select 'Tools' menu/'Add-ons' to display the Add-on dialog.
    3) Drag the XPI file into the browser Add-on dialog.
    4) Restart your browser. A message is displayed as the browser starts, confirming that Secret Agent is active.

To configure

    1) Click on the 'Tools' menu.
    2) Click on 'Secret Agent...'.

To uninstall

    1) Select 'Tools' menu/'Add-ons' to display the Add-on dialog.
    2) Click on the Secret Agent 'Remove' button
    3) Restart your browser.

What Secret Agent  Doesn't Do...

Secret Agent cannot prevent Phorm or your ISP from illegally intercepting your communications. For that you need a trustworthy ISP, or a trustworthy law enforcement officer.

Licence   FAQ        Release Notes